Smart Cities Under Attack: Why it Pays to Think Twice About IoT Security

The Internet of Things is transforming businesses across the planet. It has the power to make them safer, more efficient, productive, environmentally friendly, and agile. But there’s a real danger that these new systems could be used not just to infiltrate corporate networks, or hijacked to participate in botnets, but also to cause widespread panic and endanger lives across new smart city environments. A new paper published at Black Hat has painted exactly that scenario. Unfortunately, it’s not the first.

To mitigate the threats posed by our new IoT-powered world, we need to take action at every layer of this complex ecosystem. That means driving manufacturers to develop more secure devices, organisations to implement and configure them more securely, and the security industry to step up with practical solutions to keep systems safe going forward.

On the radar

Already those in the know are expressing concerns about an IoT market that’s expanding fast but driven by commercial and functionality demands rather than security. A new Tripwire poll of security professionals at Black Hat found 60% are more concerned about IoT security this year compared to 2017. They claimed to be most concerned about exposure of personal data, botnets, and network compromise.

They certainly have cause to be concerned. With an estimated 20.4 billion things set to be in use by 2020, and over seven billion specifically for use in businesses, the size of the corporate attack surface is growing rapidly. As the Mirai attacks of 2016 showed us, many devices can be conscripted into botnets simply by trying known and factory default username and log-in combinations. But as those security pros warned, exposed endpoints could also be hijacked as a useful stepping stone into corporate networks. The issue is that many IoT devices are left unprotected and unpatched, despite being always-on and connected to the public internet. Many IT departments don’t even know they exist if they’ve been purchased by other enterprise groups.

The FBI also recently issued a new warning about IoT devices: claiming that everything from NAS devices to satellite antennas, routers and IP cameras could be hijacked and used to commit click fraud, credential stuffing, and spam campaigns or simply to obfuscate the origin of malicious traffic.

“Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses,” it claimed. “Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic.”

While these are all legitimate concerns, what happens when the IoT device is itself the final target?

When smart cities attack

Research from Threatcare and IBM X-Force Red presented at Black Hat recently uncovered a staggering 17 zero-day vulnerabilities in smart city products from three little-known IoT companies: Libelium, Echelon and Battelle. These included some basic mistakes including default passwords, authentication bypass flaws and SQL injection vulnerabilities. Even worse, the teams found that hundreds of these vulnerable devices were sitting exposed to remote access by anyone on the internet.

The researchers claimed that this combination of poorly engineered kit implemented insecurely could allow for potentially “catastrophic” so-called “panic attacks” designed to interfere with the early warning and city management systems in place in many urban centres. To this end, IoT systems could be exploited to:

Silence flood sensors to prevent a warning being issued, or create panic by triggering one when there is no danger

Do the same with radiation leak warnings in areas surrounding nuclear power stations

Create chaos in cities by hijacking traffic management systems and/or set off building alarms

Seeking safety

As more of our cities come to depend on IoT systems designed to make them better places to live, they become exposed to digital threats. Simply ignoring the threat is the quickest way to a real-world scenario of the sort painted above. Instead we need a cross-industry effort to tackle these threats.

It starts with manufacturers getting serious about security. The truth is that IT buyers are increasingly wary of purchasing IoT devices because they can’t be trusted. That means there’s a huge opportunity for device makers to differentiate by investing more in security. A new BSI kitemark for IoT will help drive these investments in the UK by making it easier for buyers to spot trustworthy products. Hopefully the initiative will spread across Europe.

Buying more secure products is one thing, but organisations must also do their bit by ensuring they are implemented in secure systems. Leaving them exposed to the public internet is just asking for trouble. With increasingly limited in-house resources, this is where IT security managers could seek the advice of third-party experts, MSSPs and trusted vendor partners.

Fortunately, IT security vendors are catching up to the growing threat. IT managers should look for automated, centralized solutions which can enforce the full gamut of security controls right down to the IoT device level. Combine these with best practice security including regular pen testing and app scanning, strong password enforcement, regular patching of devices and network segmentation.

Pretty soon, you’ll begin to form the foundations of a strong, resilient IoT network. With the stakes this high, organisations can’t afford to keep their collective heads in the sand.

Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.